diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
index e733098..954b965 100644
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -96,6 +96,9 @@ jobs:
       # upload to PyPI on every tag starting with 'v'
       # if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/v')
       # alternatively, to publish when a GitHub Release is created, use the following rule:
+    permissions:
+      id-token: write
+      contents: read
     if: github.event_name == 'release' && github.event.action == 'published'
     steps:
       - name: Download artifacts